1. Field of the Invention
This disclosure relates in general to computer security, and more particularly to a method, apparatus and program storage device for providing service access control for a user interface.
2. Description of Related Art
Computer security is the process of preventing and detecting unauthorized use of computers and networks. Prevention measures help in stopping the unauthorized users (also known as “intruders”) from accessing any part of a computer system or network. Detection involves the determination of whether or not someone attempted to break into a computer system or network, if they were successful, and what they may have done.
The Internet and the World Wide Web (WWW) have provided data processing system users with what is effectively a global communication network interconnecting a vast number of databases and other network users. The local link between the network and the user is typically by way of a high speed Internet connection. There are many different types of high-speed internet access services including DSL, ADSL, SDSL, cable and satellite. There are many major benefits to high-speed (broadband) internet access. One huge benefit is that you get an always-on connection to the internet. This means that there is never a need to dial in and you will never have to worry about busy signals. Instead you have a constant connection to the Internet whenever your computer is on.
However, because a user's workstation is coupled directly to such communication interfaces, any network user ostensibly has the ability to access any information resource coupled to a network node. Because the network provides a potential window into any information resource linked to any of its nodes, it is customary to protect all communications using a security system to protect against the unauthorized access to another system resource (e.g., another computer).
The concepts behind network security break nicely into four categories: Authentication, Authorization (a.k.a. Access Control), Accounting, and Secure Communications. Authentication is simple verification of a user's identity. Always based on some form of trust, authentication relies on something that the user has, which can be compared to a known constant (the trusted value). This can occur either in an interaction with the user (a user ID and password are entered), or can range up to complex biometrics systems like fingerprint identification, face recognition or retinal scans. Authentication also can occur by proxy, such as a stored authentication token (kept in a workstation's memory while the user remains logged in, or on a token such as a smartcard).
Authorization, also known as access control, decides who is allowed where. File permissions are a good example of access controls. Usually stored in resource-level ACLs (access control lists), these are simply lists of authenticated users (or groups of users) who are allowed to access or are barred from accessing a given resource. This is usually the most complex aspect of network security since it requires the secure, centralized storage and access of these ACLs. Authorization can occur only once a user is authenticated, as authorization systems rely on lists of authenticated users.
Accounting involves the basic task of recording who accessed what resource. Most network operating systems and services include some form of logging. This can either be performed independently at each service, or through a centralized accounting server. However, if performed centrally, all accounting information must be transferred securely, and can be affected by denial of service attacks (for instance, a hacker wishing to cover his tracks could prevent logging messages from reaching the accounting server).
Secure communications involves the ability to protect network transmissions from both interception (where private information can be compromised) as well as unauthorized transmission, where a hacker can masquerade as a secure host, or can insert data into an established connection.
In present day networks and computer systems, the need for privacy and proper authentication of the network and computer users is one of the foremost areas of concern. In many software systems the customer, or user, initiates actions through a user interface. The right to access the interface is commonly authenticated and authorized (also referred to as auth2) by accepting a userID and password, and comparing these to valid userIDs and passwords. Valid userID/passwords are typically stored in a directory server or verification reference such as LDAP, Kerberos, etc.
In addition to typical customer users, service people often need access to the customer's system in order to perform various maintenance or diagnostic support functions. Service access is a concern to customers because it usually implies granting to an outsider the capability to see or modify confidential data, or modify the state of a sensitive system in a manner not possible through customer interfaces.
Service access is sometimes provided through a separate interface (portal) to the system, rather than through the user interface. Sometimes service access is through the user interface but involves the use of special service codes or commands (that customers are not given). Service access is typically intended to be restricted to service personnel only. Service commands are sometimes undocumented, or hidden by “trap doors” in user interfaces, or use separate interfaces not readily available to customers.
There are many ways to implement secured service access. For example, secured service access may be provided using passwords that are based on time, authorization systems that require presentation of two separate credentials, and systems that control access level depending on the authentication credentials. Methods that use time-based passwords involve the computation of passwords based on time, or for incorporating references to time into passwords. These ideas enable passwords to only be valid for a limited interval. Dual authorization schemes require two forms of credentials at the same time; e.g. the user must supply a password in combination with an electronic key fob. These methods increase the security of the system by adding a physical requirement, or requiring participation from more than one party. A combined access and authentication scheme provides for controlled access to a system, wherein the type and scope of access depends on the user authentication credentials presented.
However, such systems and techniques present several undesirable security vulnerabilities. For example, customers may learn to access the service portal by observing service people. These customers may then use the service portal to access dangerous commands, commands that compromise system vendor internal information, or commands that compromise the reliability of the system. Further, hackers may use the service portal to compromise the system. Unauthorized users can enter the system and learn enough to break into the user interface. Control over authentication and authorization (auth2) may be weakened if provided in a separate interface. Authorized users can use the service interface to gain access to unauthorized capabilities. The customer must give service people poorly restricted access to the system in order to give them service access.
Interactive computer systems share data among the various applications, components and nodes. In an interactive software system it is problematic to partition the user interface from the service interface. Today, service access control methods have drawbacks in terms of engineering effort, security, auditability, ease of automated scripting, and/or non-repudiation, i.e., preventing the user from denying earlier access authorization.
For example, prompting for service auth2 separately from user auth2 makes scripting more complicated. A special service interface, or service enabling switch, compromises security, since its existence advertises additional avenues of attacking the system. Since typically customers are not intended to access the service interface, if they do somehow gain access, that access is usually not subject to the identical controls as the user interface. Moreover, requiring the user to grant auth2 credentials to the service people gives full visibility of service access to the system. It also means the user cannot repudiate having granted the access.
It can be seen then that there is a need for a method, apparatus and program storage device for providing service access control for a user interface.